On Monday, 14 November 2016 16:57:20 UTC, Jakob Bohm wrote: > If this is the only privacy mechanism in 6962bis, I would suggest that > everyone not employed by either Google or another mass-monitoring > service block its adoption on human rights grounds and on the basis of > being a mass-attack on network security.
Whereas I would say almost the precise opposite, the Web PKI is a _public_ resource, if you don't want your certificates to be examined by the _public_ then you are in the wrong place and need to look into a private CA. Redaction has no place in public CT logs. If a private CA wants to operate redacted logs in which everything is too murky to make any useful conclusions about anything they're welcome to do just that. Even from this very limited perspective of protecting a subscriber from themselves, redaction falls down badly as I explained in my posts when Chromium mooted what redaction policies should be accepted earlier this year. The snooping argument amounts to very little. If you were paying attention to CT logs when greatagain.gov was launched, or if you really stare hard at all the new certificates logged for the .gov TLD you will have discovered what Hillary's transition site would have been called. But amid a media saturated with wall-to-wall with US election news, focusing on even the tiniest slivers of new information, nobody even mentioned it. Not because the White House staff have some elite redaction technology that allowed them keep it off the record but because it's just not that interesting. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy